[strongSwan] IKEv1 Pubkey Auth Fails from Windows to Linux
Tobias Brunner
tobias at strongswan.org
Wed Feb 3 16:08:08 CET 2016
Hi Quinn,
> charon: 16[CFG] reached self-signed root ca with a path length of 0
> charon: 16[CFG] using trusted certificate "C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384"
> charon: 16[IKE] signature validation failed, looking for another key
While the daemon finds a verified certificate/public key for that
identity/DN the signature apparently was not created with the
corresponding private key.
> charon: 13[CFG] using trusted certificate "C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384"
> charon: 13[IKE] authentication of 'C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384' with ECDSA successful
> charon: 13[IKE] authentication of 'C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384' (myself) successful
Certificates used by different hosts seem to use the same subject DN.
Are these actually the same certificates/keys?
> charon: 11[IKE] received cert request for 'DC=com, DC=test, DC=go, CN=CERTSERVER-CA'
> charon: 11[IKE] received cert request for 'C=US, O=test, OU=test, CN=QdCertSaIke2P384'
> charon: 11[IKE] received end entity cert "C=US, O=test, OU=test, CN=QdCertSaIke2P384"
Why would the Windows host send a certificate request for the end-entity
certificate. Seems like a misconfiguration (e.g. certificate in the
wrong keystore).
Regards,
Tobias
More information about the Users
mailing list